Cloud DNS roles and permissions

This page lists the IAM roles and permissions for Cloud DNS. To search through all roles and permissions, see the role and permission index.

Cloud DNS roles

Role Permissions

(roles/dns.admin)

Provides read-write access to all Cloud DNS resources.

Lowest-level resources where you can grant this role:

  • Managed zone

compute.networks.get

compute.networks.list

dns.changes.*

  • dns.changes.create
  • dns.changes.get
  • dns.changes.list

dns.dnsKeys.*

  • dns.dnsKeys.get
  • dns.dnsKeys.list

dns.gkeClusters.*

  • dns.gkeClusters.bindDNSResponsePolicy
  • dns.gkeClusters.bindPrivateDNSZone

dns.managedZoneOperations.*

  • dns.managedZoneOperations.get
  • dns.managedZoneOperations.list

dns.managedZones.create

dns.managedZones.delete

dns.managedZones.get

dns.managedZones.getIamPolicy

dns.managedZones.list

dns.managedZones.update

dns.networks.*

  • dns.networks.bindDNSResponsePolicy
  • dns.networks.bindPrivateDNSPolicy
  • dns.networks.bindPrivateDNSZone
  • dns.networks.targetWithPeeringZone
  • dns.networks.useHealthSignals

dns.policies.*

  • dns.policies.create
  • dns.policies.delete
  • dns.policies.get
  • dns.policies.list
  • dns.policies.update

dns.projects.get

dns.resourceRecordSets.*

  • dns.resourceRecordSets.create
  • dns.resourceRecordSets.delete
  • dns.resourceRecordSets.get
  • dns.resourceRecordSets.list
  • dns.resourceRecordSets.update

dns.responsePolicies.*

  • dns.responsePolicies.create
  • dns.responsePolicies.delete
  • dns.responsePolicies.get
  • dns.responsePolicies.list
  • dns.responsePolicies.update

dns.responsePolicyRules.*

  • dns.responsePolicyRules.create
  • dns.responsePolicyRules.delete
  • dns.responsePolicyRules.get
  • dns.responsePolicyRules.list
  • dns.responsePolicyRules.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/dns.peer)

Access to target networks with DNS peering zones

dns.networks.targetWithPeeringZone

(roles/dns.reader)

Provides read-only access to all Cloud DNS resources.

Lowest-level resources where you can grant this role:

  • Managed zone

compute.networks.get

dns.changes.get

dns.changes.list

dns.dnsKeys.*

  • dns.dnsKeys.get
  • dns.dnsKeys.list

dns.managedZoneOperations.*

  • dns.managedZoneOperations.get
  • dns.managedZoneOperations.list

dns.managedZones.get

dns.managedZones.list

dns.policies.get

dns.policies.list

dns.projects.get

dns.resourceRecordSets.get

dns.resourceRecordSets.list

dns.responsePolicies.get

dns.responsePolicies.list

dns.responsePolicyRules.get

dns.responsePolicyRules.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/dns.serviceAgent)

Gives Cloud DNS Service Agent access to Cloud Platform resources.

compute.globalNetworkEndpointGroups.attachNetworkEndpoints

compute.globalNetworkEndpointGroups.create

compute.globalNetworkEndpointGroups.delete

compute.globalNetworkEndpointGroups.detachNetworkEndpoints

compute.globalNetworkEndpointGroups.get

compute.globalOperations.get

compute.healthChecks.get

Cloud DNS permissions

Permission Included in roles

Owner (roles/owner)

Editor (roles/editor)

DNS Administrator (roles/dns.admin)

Service agent roles

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

DNS Administrator (roles/dns.admin)

DNS Reader (roles/dns.reader)

Service agent roles

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

DNS Administrator (roles/dns.admin)

DNS Reader (roles/dns.reader)

Security Admin (roles/iam.securityAdmin)

Security Reviewer (roles/iam.securityReviewer)

Service agent roles

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

DNS Administrator (roles/dns.admin)

DNS Reader (roles/dns.reader)

Service agent roles

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

DNS Administrator (roles/dns.admin)

DNS Reader (roles/dns.reader)

Security Admin (roles/iam.securityAdmin)

Security Reviewer (roles/iam.securityReviewer)

Service agent roles

Owner (roles/owner)

Editor (roles/editor)

DNS Administrator (roles/dns.admin)

Service agent roles

Owner (roles/owner)

Editor (roles/editor)

DNS Administrator (roles/dns.admin)

Service agent roles

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

DNS Administrator (roles/dns.admin)

DNS Reader (roles/dns.reader)

Service agent roles

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

DNS Administrator (roles/dns.admin)

DNS Reader (roles/dns.reader)

Security Admin (roles/iam.securityAdmin)

Security Reviewer (roles/iam.securityReviewer)

Service agent roles

Owner (roles/owner)

Editor (roles/editor)

DNS Administrator (roles/dns.admin)

Service agent roles

Owner (roles/owner)

Editor (roles/editor)

DNS Administrator (roles/dns.admin)

Service agent roles

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Composer Shared VPC Agent (roles/composer.sharedVpcAgent)

DNS Administrator (roles/dns.admin)

DNS Reader (roles/dns.reader)

Service agent roles

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

DNS Administrator (roles/dns.admin)

Security Admin (roles/iam.securityAdmin)

Security Reviewer (roles/iam.securityReviewer)

Service agent roles

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Composer Shared VPC Agent (roles/composer.sharedVpcAgent)

DNS Administrator (roles/dns.admin)

DNS Reader (roles/dns.reader)

Security Admin (roles/iam.securityAdmin)

Security Reviewer (roles/iam.securityReviewer)

Workload Manager Admin (roles/workloadmanager.admin)

Workload Manager Deployment Admin (roles/workloadmanager.deploymentAdmin)

Service agent roles

Owner (roles/owner)

Security Admin (roles/iam.securityAdmin)

Owner (roles/owner)

Editor (roles/editor)

DNS Administrator (roles/dns.admin)

Service agent roles

Owner (roles/owner)

Editor (roles/editor)

Kubernetes Engine Host Service Agent User (roles/container.hostServiceAgentUser)

DNS Administrator (roles/dns.admin)

Service agent roles

Owner (roles/owner)

Editor (roles/editor)

Kubernetes Engine Host Service Agent User (roles/container.hostServiceAgentUser)

DNS Administrator (roles/dns.admin)

Service agent roles

Owner (roles/owner)

Editor (roles/editor)

Kubernetes Engine Host Service Agent User (roles/container.hostServiceAgentUser)

DNS Administrator (roles/dns.admin)

Service agent roles

Owner (roles/owner)

Editor (roles/editor)

Composer Shared VPC Agent (roles/composer.sharedVpcAgent)

DNS Administrator (roles/dns.admin)

DNS Peer (roles/dns.peer)

Service agent roles

Owner (roles/owner)

Editor (roles/editor)

DNS Administrator (roles/dns.admin)

Service agent roles

Owner (roles/owner)

Editor (roles/editor)

DNS Administrator (roles/dns.admin)

Service agent roles

Owner (roles/owner)

Editor (roles/editor)

DNS Administrator (roles/dns.admin)

Service agent roles

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

DNS Administrator (roles/dns.admin)

DNS Reader (roles/dns.reader)

Service agent roles

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

DNS Administrator (roles/dns.admin)

DNS Reader (roles/dns.reader)

Security Admin (roles/iam.securityAdmin)

Security Reviewer (roles/iam.securityReviewer)

Service agent roles

Owner (roles/owner)

Editor (roles/editor)

DNS Administrator (roles/dns.admin)

Service agent roles

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

DNS Administrator (roles/dns.admin)

DNS Reader (roles/dns.reader)

Service agent roles

Owner (roles/owner)

Editor (roles/editor)

DNS Administrator (roles/dns.admin)

Service agent roles

Owner (roles/owner)

Editor (roles/editor)

DNS Administrator (roles/dns.admin)

Service agent roles

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

DNS Administrator (roles/dns.admin)

DNS Reader (roles/dns.reader)

Service agent roles

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

DNS Administrator (roles/dns.admin)

DNS Reader (roles/dns.reader)

Security Admin (roles/iam.securityAdmin)

Security Reviewer (roles/iam.securityReviewer)

Service agent roles

Owner (roles/owner)

Editor (roles/editor)

DNS Administrator (roles/dns.admin)

Service agent roles

Owner (roles/owner)

Editor (roles/editor)

Kubernetes Engine Host Service Agent User (roles/container.hostServiceAgentUser)

DNS Administrator (roles/dns.admin)

Service agent roles

Owner (roles/owner)

Editor (roles/editor)

Kubernetes Engine Host Service Agent User (roles/container.hostServiceAgentUser)

DNS Administrator (roles/dns.admin)

Service agent roles

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Kubernetes Engine Host Service Agent User (roles/container.hostServiceAgentUser)

DNS Administrator (roles/dns.admin)

DNS Reader (roles/dns.reader)

Service agent roles

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Kubernetes Engine Host Service Agent User (roles/container.hostServiceAgentUser)

DNS Administrator (roles/dns.admin)

DNS Reader (roles/dns.reader)

Security Admin (roles/iam.securityAdmin)

Security Reviewer (roles/iam.securityReviewer)

Service agent roles

Owner (roles/owner)

Editor (roles/editor)

Kubernetes Engine Host Service Agent User (roles/container.hostServiceAgentUser)

DNS Administrator (roles/dns.admin)

Service agent roles

Owner (roles/owner)

Editor (roles/editor)

Kubernetes Engine Host Service Agent User (roles/container.hostServiceAgentUser)

DNS Administrator (roles/dns.admin)

Service agent roles

Owner (roles/owner)

Editor (roles/editor)

Kubernetes Engine Host Service Agent User (roles/container.hostServiceAgentUser)

DNS Administrator (roles/dns.admin)

Service agent roles

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Kubernetes Engine Host Service Agent User (roles/container.hostServiceAgentUser)

DNS Administrator (roles/dns.admin)

DNS Reader (roles/dns.reader)

Service agent roles

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Kubernetes Engine Host Service Agent User (roles/container.hostServiceAgentUser)

DNS Administrator (roles/dns.admin)

DNS Reader (roles/dns.reader)

Security Admin (roles/iam.securityAdmin)

Security Reviewer (roles/iam.securityReviewer)

Service agent roles

Owner (roles/owner)

Editor (roles/editor)

Kubernetes Engine Host Service Agent User (roles/container.hostServiceAgentUser)

DNS Administrator (roles/dns.admin)

Service agent roles